The solution we had in place could not scale to our growing requirements. We spent more time managing agents than in managing our compliance. Qualys was easy to use, easy to deploy and allows us to focus on what we do best, which is manage risk.

Global IT Security Manager,
Large Financing Company

Highlights

Define policies

With PC, you can leverage out-of-the-box library content to fast-track your compliance assessments using industry-recommended best practices such as CIS Benchmarks. PC also provides a centralized, interactive console for specifying the baseline standards required for different sets of hosts. You can quickly create policies based on a previously scanned host.

Assess and remediate

By automating the evaluation of requirements against multiple standards for OSes, network devices and applications, PC lets you identify issues quickly and prevent configuration drift. With PC, you can prioritize and track remediation and exceptions, demonstrating a repeatable auditable process for compliance management focused on the most critical issues first.

Inform

PC lets you customize and deliver comprehensive reports to document progress for IT staffers, business executives, risk managers and auditors. With mandate-based reporting you can easily see how you compare against requirements in a variety of overlapping regulatory or industry required control objectives.

Specify controls

PC’s interactive editor organizes controls according to policies’ technologies, while search tools let you find relevant controls according to attributes. While setting up a control, you can immediately test the specified configuration. Select from an extensive controls library for OSes, network devices, databases and apps, and create custom controls without programming.

Interactively set up IT standards for hardening configurations
and complying with relevant regulations

Define configuration policies required for different environments and assets
Specify baseline standards required for different sets of hosts in Qualys’ centralized, interactive console. Hosts discovered and categorized by business function in Qualys VM can have hardening policies assessed in Qualys PC

Use a previously scanned host as a "golden image"
Create policies based on a previously scanned host in minutes. Qualys PC selects controls and setting values to match the master machine’s “golden image."

Draw from a built-in library of extensively used policies certified by CIS
Tap Qualys’ library of built-in policies to comply with common security standards and regulations. Qualys provides a wide range of policies, including many certified by CIS, and others based on vendor security guidelines

Use SCAP content streams
Import Security Content Automation Protocol (SCAP) source data stream content to define policies. This simplifies verifying devices for compliance with standards such as the US Government Configuration Baseline (USGCB)

Create custom policies via an interactive web-based editor
Add your own policies with Qualys PC’s web-based policy editor. Choose which technologies to cover, and organize relevant controls into sections. Each control can reference external standards so that automated policies match up with printed requirements documents

Leverage custom controls in library policies
Library policies provided by Qualys may include a new control type called Qualys Custom Control, which can provide users with new controls similar to user-defined controls

Select host & app settings to check for each policy

Qualys PC’s interactive editor automatically organizes controls according to the technologies associated with each policy. Its search engine quickly finds relevant controls according to attributes such as name, category, framework, and others.

Test controls immediately without rescanning or reportingWhile setting up a control within Qualys, test the specified configuration, so you don’t have to run a new scan or generate a special report each time you edit a control. Qualys gives you a list of relevant hosts to choose from and shows you what values were gathered

Select from a rich library of controls for OSes, network devices, databases & appsQualys’ extensive, continually updated library of more than 15,000 checks spans more than 50 technologies. Controls can be filtered and selected according to multiple attributes, including: description keywords and category

Monitor the integrity of files and watch for changesQualys can monitor arbitrary files on Windows and Unix/Linux hosts for changes so that unexpected modifications can be caught quickly

Create custom controls without writing code or scriptsExtend Qualys’ controls easily without programming. On Unix/Linux and Windows hosts, attributes of files and directories can be examined with just a few clicks. On Windows hosts, checks for registry entries, share permissions, and WMI queries can also be added quickly

See how controls relate to critical frameworks and regulationsQualys provides context information for each built-in control such as the standards frameworks to which the control applies, including: CIS, COBIT, ISO 17799 & 27001, NIST SP800-53, ITIL v2, HIPAA, FFIEC, NERC-CIP

Make policies active or inactiveEvery policy in your account is in active or inactive state. Inactive policies will not be scanned or reported on. By default polices are marked active. You may want to hide a new policy while you’re working on it, or an existing one you’re editing, and then publish it at a later time

Scan and analyze OS and application configurations on each target host

With Qualys PC, you can scan systems anywhere from the same console. You can select target hosts by IP address, asset group or IP range. After scanning deeply, you can create custom reports for each audience with the appropriate level of detail.

Scan quickly & efficientlyQualys PC works unobtrusively in even the largest networks. Use your existing asset groups to select systems to scan. Do internal network scans in parallel using multiple appliances to accelerate scanning and prevent network bottlenecks

Scan on demand or on a scheduleQualys gives you the flexibility to scan whenever you want. You can launch scans with a click to manually check desired hosts, or schedule recurring scans with specific durations to match your maintenance windows

Assess deeply with authentication scansQualys can securely use authentication credentials to log in to each host, database or web server. For added control, Qualys can pull passwords dynamically from 3rd-party credential management systems and use privilege escalation systems such as “sudo”

Do continuous compliance with Qualys Cloud AgentsTurn Qualys PC into a real-time compliance assessment solution with the groundbreaking Cloud Agents. These lightweight agents are always up to date and require no credential management nor complex remote access through the firewall. They monitor assets around the clock, even if they’re offline

Qualys PC automates the labor-intensive process of checking settings on each machine in your network. By helping you address violations quickly, before they get too far out of hand, Qualys PC makes remediation efforts more predictable and avoids last-minute emergencies during audits.

Know that audits will show compliance, not uncover violationsKnow whether your IT systems are compliant with configuration mandates. Issues can be resolved early, reducing or eliminating the chances for failed IT audits. Instead, with Qualys PC audits validate that you are following the kinds of best practices that reassure auditors.

Customize comprehensive reports
to document progress

It’s essential to collect and analyze compliance data in order to evaluate and fine-tune IT security controls. Qualys PC gives you comprehensive compliance data so you can prioritize remediation and maintain all different stakeholders informed, including IT, business executives, risk managers and auditors.

Report anytime, any way – without rescanning
Qualys tracks configuration data across hosts and time, letting you use reports to better understand the security of your network. Draw from a library of built-in reports, change what’s shown or choose different sets of assets — all without having to rescan. Reports can be generated on demand or scheduled automatically and then shared with the appropriate recipients online, in PDF or CSV.

Compare compliance rates across policies, technologies and assets
Qualys helps you consolidate compliance results in different ways for clear, concise presentation to executives. Its graphical Scorecard reports allow you to examine multiple policies at once and see how compliance varied across different technologies and groups of assets. It also highlights changes over time, allowing you to track and compare different teams’ progress quickly.

Document that policies are followed & lapses get fixed
Qualys provides a systematic way to document that IT security policies have been defined and implemented. Auditors can quickly see that best practices are being followed and that violations are being found and fixed.

Create different reports for different audiences
Create custom report templates that communicate the right level of detail in the right way. Present scorecards to executives, connecting security results to business goals. Provide detailed drill-downs to IT teams who are checking into issues.

Enable data-driven risk & compliance management
With Qualys PC, decisions about risk and compliance management can be based on facts and data rather than guesses and instinct. It provides a continuously up-to-date view of how IT system configurations measure up to requirements and defined baselines.

Share data with GRC systems & other enterprise applications
Qualys provides valuable data programmatically to other systems. Through a comprehensive set of XML-based APIs, your GRC and other compliance applications can obtain data about each host asset, initiate scans, and perform various other tasks.

Generate Mandate Based Reports to View Compliance Posture
View your compliance posture in terms of the underlying security baseline against selected mandates by launching a mandate-based report. Use mandate-based report templates to create harmonized reports on compliance policies and mandates.

View Remediation Information in Reports
Include remediation information for control technologies in compliance reports. For system defined controls, reports display remediation information set by Qualys. For user defined controls, remediation information you set is displayed in the reports.

Powered by the Qualys Cloud Platform

Single-pane-of-glass UI

See the results in one place, in seconds. With AssetView, security and compliance pros and managers get a complete and continuously updated view of all of their IT assets — from a single dashboard interface. Its fully customizable and lets you see the big picture, drill down into details, and generate reports for teammates and auditors. Its intuitive and easy-to-build dynamic dashboards aggregate and correlate all of your IT security and compliance data in one place from all the various Qualys Cloud Apps. With its powerful elastic search clusters, you can now search for any asset – on-premises, endpoints and all clouds – with 2-second visibility.

Deploy from a public or private cloud — fully managed by Qualys. With Qualys, there are no servers to provision, no software to install, and no databases to maintain. You always have the latest Qualys features available through your browser, without setting up special client software or VPN connections.

Scalable and extensible

Scale up globally, on demand. Integrate with other systems via extensible XML-based APIs. You can use Qualys with a broad range of security and compliance systems, such as GRC, ticketing systems, SIEM, ERM, and IDS.